Edge + serverless + model-serving batch (W2.5.C) — three upstream-
subchart umbrella Blueprints completing the bootstrap-kit slots for
WebRTC media relay (bp-relay → bp-stunner) and the AI/ML serving stack
(bp-cortex → bp-kserve → bp-knative).
Each chart follows the canonical umbrella pattern from
docs/BLUEPRINT-AUTHORING.md §11.1: Chart.yaml declares the upstream
chart under `dependencies:` so `helm dependency build` bundles the
upstream payload into the OCI artifact, and Catalyst-curated overlay
values + templates sit alongside in chart/values.yaml + chart/templates/.
Per-chart highlights:
- bp-stunner/1.0.0 — wraps stunner/stunner-gateway-operator 1.1.0.
Ships a Cilium-native GatewayClass (Capabilities-gated on
gateway.networking.k8s.io/v1) so bp-relay (LiveKit / SFU) can claim
Gateway CRs without an operator-ordering dance. Default UDP TURN port
range 30000-32767 matches the range opened at the Sovereign edge
firewall (Crossplane bp-firewall composition).
- bp-knative/1.0.0 — wraps knative-operator v1.21.1. Ships a
KnativeServing CR pre-configured for **istio-less mode**
(ingress.istio.enabled=false, ingress.contour.enabled=false,
ingress.kourier.enabled=false; config.network.ingress-class=cilium).
Sovereign FQDN sourced from values, no hardcoded fallback per
inviolable principle #4 — render fails loudly if cluster overlay
doesn't set knativeOverlay.knativeServing.sovereignFqdn.
- bp-kserve/1.0.0 — wraps kserve/kserve v0.16.0 (latest version
published on the official OCI registry as of 2026-04-30). Default
deploymentMode=RawDeployment (no Knative hop on the hot path) but
bp-knative is still installed (declared as a hard dep) so per-IS
annotation `serving.kserve.io/deploymentMode: Serverless` opts in to
scale-to-zero per tenant. Cilium native Gateway-API ingress
(enableGatewayApi=true, className=cilium, disableIstioVirtualHost=
true).
Observability discipline (issue #182): every observability toggle
(ServiceMonitor, HPA, GatewayClass) defaults false and is operator-
tunable via per-cluster overlay once bp-kube-prometheus-stack reconciles.
Each chart ships tests/observability-toggle.sh covering default-off,
opt-in (with `--api-versions monitoring.coreos.com/v1` to simulate
Prometheus Operator CRDs), and explicit-off cases.
Per-chart kind summary (helm template default render):
bp-stunner: ClusterRole, ClusterRoleBinding, ConfigMap, Dataplane,
Deployment, Role, RoleBinding, Service, ServiceAccount.
(+ GatewayClass when --api-versions
gateway.networking.k8s.io/v1 is passed.)
bp-knative: ClusterRole, ClusterRoleBinding, ConfigMap,
CustomResourceDefinition, Deployment, KnativeServing,
Role, RoleBinding, Secret, Service, ServiceAccount.
bp-kserve: Certificate, ClusterRole, ClusterRoleBinding,
ClusterServingRuntime, ClusterStorageContainer,
ConfigMap, Deployment, Gateway, Issuer,
MutatingWebhookConfiguration, Role, RoleBinding,
Service, ServiceAccount, ValidatingWebhookConfiguration.
`helm lint` clean for all three (single INFO on missing icon — icons
land with marketplace card work).
`bash tests/observability-toggle.sh` green for all three (3 cases each:
default-off, opt-in, explicit-off).
Closes#263#264#265
Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Pass 25's deferred sweep, executed. Image refs of the form
harbor.<domain>/... (and one registry.<domain>/... in temporal) collapse
the location-code segment. Per NAMING §5.1, Catalyst per-host-cluster
Harbor DNS is harbor.{location-code}.{sovereign-domain} (e.g.
harbor.hfmp.openova.io).
Fixed (11 instances, 9 files):
- anthropic-adapter, bge (×2), debezium, harbor (×2 — ingress + Kyverno
policy), knative (×2 — serving + traffic-split), llm-gateway, strimzi,
trivy — all standardized to harbor.<location-code>.<sovereign-domain>.
- temporal had two drift items in one line: registry.<domain> (off-spec
placeholder — Catalyst's only per-host-cluster registry is Harbor) AND
legacy "fuse" namespace (renamed to bp-fabric per BUSINESS-STRATEGY
§16.2 / Pass 26). Rewritten to fabric/order-worker.
Out of scope (deliberate): :latest tag hygiene, and whether Application
Blueprint READMEs should reference ghcr.io/openova-io/bp-<name>:<semver>
vs the Sovereign Harbor mirror. Stalwart customer-email-domain <domain>
placeholders preserved (correct semantics). external-dns illustrative
gslb/api/svc.<domain> preserved (upstream-doc generic).
With Pass 29 (canonical-doc DNS) + Pass 31 (carry-over fixes) + Pass 32
(image registry), the recurring DNS-placeholder collapse drift category
is addressed end-to-end.
Validation log Pass 32 entry added.
Remove hierarchical grouping (networking/, security/, etc.) and use flat
structure for all 41 platform components.
Changes:
- All components now directly under platform/ (no subfolders)
- AI Hub components moved from meta-platforms/ai-hub/components/ to platform/
- Open Banking components (lago, openmeter) moved to platform/
- meta-platforms/ now only contains README files that reference platform/
- Open Banking custom services remain in meta-platforms/open-banking/services/
Structure:
- platform/ (41 components, flat)
- meta-platforms/ai-hub/ (README only, references platform/)
- meta-platforms/open-banking/ (README + 6 custom services)
All documentation links updated.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
